high
7.5
Advisory Published
Updated

CVE-2023-30585

First published: Tue Nov 28 2023(Updated: )

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged "msiexec.exe" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.

Credit: support@hackerone.com

Affected SoftwareAffected VersionHow to fix
Nodejs Node.js>=16.0.0<16.20.1
Nodejs Node.js>=18.0.0<18.16.1
Nodejs Node.js>=20.0.0<20.3.1
IBM Planning Analytics<=2.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID for this Node.js installation vulnerability?

    The vulnerability ID for this Node.js installation vulnerability is CVE-2023-30585.

  • What is the affected software for this vulnerability?

    The affected software for this vulnerability is Node.js, specifically versions between 16.0.0 and 20.3.1.

  • How does this vulnerability impact Windows users?

    This vulnerability impacts Windows users who install Node.js using the .msi installer.

  • What is the severity rating of this vulnerability?

    The severity rating of this vulnerability is high, with a score of 7.5.

  • How can I fix this Node.js installation vulnerability?

    To fix this vulnerability, update Node.js to a version that is not affected by the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203